Re: FTP active mode, HSRP and NAT

arturo.reyna · ‎10-09-2003

Hello:

I have a problem with FTP in active mode, I´m trying to connect to the FTP server in an outside network.

Connectivity in my inside network to the outside network is with two routers using HSRP for backup and NAT static because we have to deliver one public address. I have one ethernet interface from each router to the outside network with hsrp; I have two more serial ports in each router 3620, one to differents sites in my network and one to connect them back to back for backup.

My routers are 3620 with two different versions: 12.1(5)T5 and 12.2(17a); This is the configuration I use.

3620-1 (active router)

interface ethernet 0/0

ip address 10.248.100.26 255.255.255.0

standby 173 ip 10.248.100.28

standby 173 priority 110

standby 173 preempt

ip nat outside

interface Serial1/0

description LINK TO SITE A

bandwidth 64

ip address 128.10.206.254 255.255.255.0

ip nat inside!

interface Serial1/1

description BACK TO BACK 3620-1

bandwidth 128

ip address 128.10.75.254 255.255.255.0

ip nat inside

clockrate 128000

ip nat inside source static 128.10.70.97 168.165.173.67

ip route 140.240.11.32 255.255.255.255 10.248.100.1

3620-2 (standby router)

interface ethernet 0/0

ip address 10.248.100.27 255.255.255.0

standby 173 ip 10.248.100.28

standby 173 preempt

ip nat outside

interface Serial1/0

description LINK TO SITE B

bandwidth 128

ip address 128.10.207.254 255.255.255.0

ip nat inside!

interface Serial1/1

description BACK TO BACK TO 3620-2

bandwidth 128

ip address 128.10.75.253 255.255.255.0

ip nat inside

clockrate 128000

ip nat inside source static 128.10.70.97 168.165.173.67

ip route 140.240.11.32 255.255.255.255 10.248.100.1

The FTP is from my client with ip 128.10.70.97 to the server with ip 140.240.11.32,please note that I´m nating my ip address to be allowed to get the server. The ip of the server is an ip nat too.

The problem is that we are not able to send data with FTP session, when I try to connect I am able to logon but when I type dir or other command (get, put) I don´t receive response from the FTP server.

One thing, I repited this test with FTP passive mode and I was able to logon and dir (display the files in the server and get and put files)If I shutdown one ethernet interface (with HSRP) I am able to connect with FTP active mode; I think the problem is because I´m using HSRP and NAT at the same time in the same router.

Somedoby know If can I work with FTP active with this configuration?

Can you reccomend one action?

Thanks in advance.

s_fisher · ‎10-09-2003

On the return path from the FTP server, how is your client IP (128.10.70.97) routed? Across the link from "Site A" to 3260-1 and/or the link from "Site B" to 3620-2?

arturo.reyna · ‎10-10-2003

my primary path is by the site B, I have better bandwith, just in case of failure I work for link A.

Thank you.

s_fisher · ‎10-10-2003

The problem appears to be caused by your primary HSRP router being 3620-1 and Link-A. When you make an FTP connection through this router and link, the NAT is built on that router only. This is fine for the control connection, but in active mode FTP the data connection is initiated from the server back to the client and comes in through Link B to 3620-2. The NAT table on 3620-2 does not know about the FTP connection initiated through 3620-1 so it drops the packet.

Passive mode FTP works because it initiates both control and data connections from inside so they will both pass through the same router and NAT table (3620-1 and Link A).

A good solution to this would be to use a new feature called Stateful NAT (SNAT) but it does not work with FTP yet. For now, try making your HSRP primary router be 3620-2 for Link B as that is where traffic returns through per your message.

arturo.reyna · ‎10-10-2003

I´ll try in that way.

Thanks a lot.